March 19th, 2009 | |
Posted in News
This week I started teaching a new session of classes. One of the classes I’m teaching is on ethics, policies and procedures. The objective of the class is to teach students the ethic’s associated with network security. The process of developing policies including standards and guidelines in addition to the procedures that go with them. No matter what I do I always feel like the class turns into a business/psychology type of class rather then a network security class. I guess that because the the reason for policies and procedures is because of users and the need to protect company data.
The first part of the class we focus on policies. One of the items we discuss is where do these policies come from. We all know that the mission of any business is to make money. So if security is a cost center, then how does a business decide what money it will spend on security? Well one motivator for businesses to spend money is to meet compliance mandates. This comes back to a business will not spend money on something unless it has to by law or because it provides an ROI.
The ones we focus on in class include PCI/DSS, GLBA, HIPAA, FISMA and ISO 27001/27002. All of which are discussed in some detail thought the class. The problem that I have is for some businesses these mandates are the baseline for their security. Meaning that some business will only spend money on security to the point they are compliant and then stop. Now this could be for a number of reasons. Time restraints, costs, lack of resources to do anything more, etc. The point is that some believe that nothing bad can happen to them, until it does. I honestly don’t know why. What I do know is that none of the security compliance mandates I listed is intended to be the “be-all end-all” for securing a business. Each one has a focus and that focus does not take into account any other aspect of the business or the technology involved.
So if you’re in a position to drive change in your department, organization or the corporation. Please help to educate and communicate the real security requirements needed to protect the companies mission, its customers and its employees. I think one of the clearest and most concise statement about compliance recently made was by Michael Starks in his “An Open Letter to CEO’s” post.
…we need to have a security program that is perpetually healthy–one that creates and builds a security culture. It needs to be healthy enough where passing audits is a natural consequence of how we handle information.
Meeting security compliance mandates should be a positive side effect of your security practices not the motivation for them.
I am always open to feedback so please feel free to post a comment.
Tags:
FISMA,
GLBA,
HIPAA,
ISO 27001/27002,
PCI/DSS,
security complaince,
security mandates